
1 Executive Report
The Cybersecurity and Infrastructure Security Agency (CISA) Cyber Assessments (CCA) team produced this
report for «Org-Name» («Acronym») in support of a Phishing Campaign Assessment (PCA) conducted «Start-Date»
to «End-Date». CCA conducts PCAs, upon customer request, to measure an organization’s propensity to click on
email phishing lures. PCA is a practical exercise intended to support and measure the effectiveness of security
awareness training for information system users. The results of this PCA show the potential susceptibility of
«Acronym» personnel to social engineering attacks—specifically email phishing attacks—in which an adversary
tricks an email user into clicking a malicious link to gain unauthorized network access. The assessment’s
goal was to isolate the human behavioral response to these types of attacks and no exploits were used during
the assessment. The assessment operated under the scenario that technical controls were unable to detect,
report, or stop the email phishing attempts from reaching the end user. CCA measured «Acronym»’s level of
susceptibility to a phishing attack by using targeted user click rates, click times, response rates, and response
times, as shown in table 1. This report aims to enhance «Acronym»’s understanding of their information system
users’ cybersecurity behavior and to promote a secure and resilient workforce.
Table 1: Targeted user measurements
User Activity Metrics Results
Total users targeted for phishing «Num-Users»
# of emails (phishing attempts) sent overall «Sum-Emails-Sent» («Num-Email-Per-
User» per user)
# of clicked emails (successful phishing attempts) overall
1
«Sum-Unique-Clicks» («Click-Rate»%
click rate )
# of phished users overall
2
«Unique-User-Clicks» («Unique-User-
Click-PercentPop»% of target popula-
tion)
# of user reports sent to helpdesk overall
3
«Total-User-Reports» («Report-Rate» re-
port rate )
# Ratio of reports-to-clicks «Report-Ratio»
Average time to first click
45
«Ave-Time-First-Click»
Average time to first report
6
«Ave-Time-First-Report»
Most clicked phishing template «Most-Successful»
CCA has provided this PCA to «Acronym» at no cost and coordinated all activities — including planning and
testing — with «Acronym»’s point of contact (POC). «Acronym» maintained control over the testing, including pro-
viding target email addresses, approving phishing email templates, approving testing timeframes, and adjusting
mail security setting to ensure inbox access. This PCA was not intended to, and did not, test technical controls or
electronic protections designed to block phishing attempts. This PCA spanned a six-week period and aimed to
capture metrics of «Acronym» information system users reaction to phishing emails of multiple deception levels.
1
Click rate is the total number of emails with “malicious” links that users clicked on divided by the total number of emails sent.
2
There were «Unique-User-Clicks» users who clicked a “malicious” link at least once by the end of the PCA out of the «Num-Users»
that were phished. There were «User-Multi-Campaign» users who clicked in more than one campaign.
3
Reporting rate is total number of user reports to the helpdesk divided by total phishing emails sent.
4
Average time to first click and first report is calculated with geometric mean to compensate for a small sample size that is sensitive
to being skewed by outliers
5
Click time is the time CCA sent the emails minus the time the user clicked the link within the email.
6
Average time to first click and first report is calculated with geometric mean to compensate for a small sample size that is sensitive
to being skewed by outliers
Page | 4 of 37